About this blog

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.

Search Deloitte Insights

Related Deloitte Insights

As social media applications multiply and regulation quickens to keeps pace, one thing remains clear: Reputation is a ranking strategic business issue—and an area of growing vulnerability. Learn how a high-level assessment of social media activities across the organization—and the creation of a well-defined social media strategy—can help prepare executive teams to tackle social media governance.

Although the SEC released guidance on disclosing investor information using social media sites, companies remain uncertain about potential compliance risks. Khalid Wasti, a director with the Enterprise Risk Services practice of Deloitte & Touche LLP, discusses Reg FD compliance in the context of social media, as well as issues organizations should take into consideration—whether or not they currently embrace social media as part of their investor relations toolkit.

Dexter Congbalay, VP of Investor Relations (IR) at Mondelez International, says IR can provide value to the company and shareholders by providing direct engagement and open lines of communication with management and the board, as well as with the investment community. He discusses dealing with activist investors and building external relationships that elicit the “brutal honesty” that helps senior management understand shareholder perspectives.

Deloitte Views & Analysis

Treasurers clearly have strong mandates to be strategic, with more than 70% of respondents to a recent survey citing mandates from their CFOs in areas including liquidity risk management, efficient capital-markets access and risk management, according to the “2015 Global Corporate Treasury Survey” from Deloitte & Touche LLP. But significant challenges persist for treasurers, such as cyberthreats and navigating emerging markets.

With aggregate U.S. private-sector defined benefit pension plan assets exceeding $3 trillion, more plan sponsors are choosing to shift the liability off their balance sheets by offering voluntary lump-sum payments to pension participants or transferring defined benefit risk to an insurer through an annuity buyout—actions some call “derisking pension plans.” Learn what to consider when contemplating pension plan derisking.

Effective transfer pricing programs may increase both tax efficiency and cash for repatriation or investment, while improper allocations have the potential to artificially inflate revenue and cash balances. The integration of strategic transfer pricing, tax and treasury can help organizations manage taxes and address treasury and cash management considerations. It may also result in a more efficient business model at the global level.

Retailers Face New Risks as Digital Opportunities Grow

The retail industry is undergoing a sweeping transformation, as social media, omni-channel shopping¹ and emerging technologies compel companies to rethink almost every aspect of their operations and develop innovative ways to accommodate customers.

As retailers expand digital opportunities, they need to contemplate an entirely new set of risks. Only by looking at the larger picture and determining how these risks are interconnected will retailers be able to develop approaches to anticipate and manage them and capitalize on the opportunities they may bring. Consider the following:

A company announced a limited-time offer for free downloads via its mobile apps and web store. The move resulted in such an enthusiastic response that it brought down the company’s servers. Furthermore, the surge in interest created by the offer resulted in inventory shortfalls due to the lack of coordination with supply chain management. Angry customers then turned to social media, venting much criticism about the company’s poor planning.

A large supermarket chain’s payment system was compromised, but the breach was undiscovered for three months—until customers began reporting fraudulent claims on their credit cards. During those three months, the numbers and expiration dates for more than two million credit and debit cards had been exposed to hackers. While the problem was corrected immediately on detection, the company was forced to divert considerable resources to damage control. The chain, despite its efforts, faces several class action lawsuits charging lax security and failure to inform its customers of the breach in a timely manner, as well as incalculable damage to their brand.

Digital risk can surface in the external environment as well as inside organizations, making it imperative for executives to adopt both “outside-in” and “inside-out” views of the company’s strategy and risk profile. “Understanding where risks are coming from can help companies identify what is under their control, so they can manage it, and what is outside of their control, so they can monitor, plan for and mitigate it,” says Keith Denham, a principal with Deloitte & Touche LLP who leads its Consumer Products, Retail and Distribution Advisory practice. “As digital continues to move to the center of the shopping experience, retailers will need to stay one step ahead in order to deliver on their customers’ escalating demands, while sidestepping unforeseen risks that may emerge along the way,” Mr. Denham adds. (See Gaps in the Digital Net: How Retailers Can Close the Risk Holes.)

The Rise of Reputational Risk

Retail executives appreciate the significance of the digital forces at play in their industry and are beginning to turn their attention to the inherent risks these forces present. When executives were asked what risk sources would be most important over the next three years in a survey by Deloitte & Touche LLP and Forbes Insights,² 27% identified social media³ after global economic environment, regulatory changes and government spending.

Further, only 21% indicated that they continually monitor reputational risk, an area where social media can have a particularly profound impact. “When it comes to digital risk in general, most retail executives view its management both narrowly and incompletely, relegating “ownership” of different types of risk to departments that seem the most logical fit or allowing business units to create their own risk management plans,” says Kiran Mantha, a principal in the Advisory practice of Deloitte & Touche LLP. “As retailers try to incubate new solutions, business models, etc., it is essential that they understand how to execute these initiatives without having an overbearing risk and security infrastructure stifle that innovation,” he adds.

In a recent global survey released by Deloitte Touche Tohmatsu Limited (DTTL), Exploring Strategic Risk, company reputation and the fallout from reputational damage are named as the number one strategic risk for large companies. In some industry sectors, including retail, reputation has risen from outside the top five strategic risk concerns to the top of the list.

“The rise of reputation as the prime strategic risk is a natural reaction to recent high profile reputational crises, as well as the speed of digital and social media and the potential loss of control that accompanies it,” says Henry Ristuccia, partner, Deloitte & Touche LLP and global leader, Governance, Risk and Compliance for Deloitte Touche Tohmatsu Limited. “The time it takes for damaging news to spread is quicker, it goes to a wider audience more easily, and the record of it is stored digitally for longer. Several reputational episodes in the past three years have really brought this issue into focus for every industry. Indeed, the only sector where reputation hasn’t risen as a strategic risk factor is financial services where it was already number one following the financial crisis and subsequent fallout,” Mr. Ristuccia adds.

Nearly 50% of the 300 C-suite executives who participated in the Exploring Strategic Risk survey listed social media above other technologies, such as analytics, mobile applications and cyberattacks, as the biggest technology disruptor and threat to their business model.

Establishing a Digital Risk Framework

Companies typically maintain multiple digital assets across a different set of digital channels. Some of these, such as e-commerce web sites, mobile apps and IT infrastructure, are owned by the organization and, therefore, controlled by it. Others, such ashow people use brands and digital assets and what people say about the organization or its digital assets in the digital space, are outside of the organization’s direct control.

A digital risk management framework can bring potential risks out into the open so that organizations can develop controls and repeatable processes and streamline their risk responses. However, it will not be enough for retailers to consider e-commerce, social media and other online risks in a piecemeal way.

“Only by looking at the larger picture and determining how these risks are interconnected will retailers be able to develop approaches to anticipate and manage them and capitalize on the opportunities they may bring,” says Mr. Mantha. “This approach can bring significant advantage by creating efficiencies, reducing the ad hoc crisis response and reducing the likelihood of regulatory penalties,” Mr. Mantha adds.

A digital risk framework can also help executives build those capabilities, shown below.

The framework provides management with a starting point for evaluating the organization’s ability to sense and respond to digital risk. Effective management of digital risk calls for capabilities in a number of areas, including such new skills as data analytics and risk sensing.

Reinforcing Existing Lines of Defense

Digital risk management is the product of multiple layers of risk defense, each linked via a cascading set of roles and responsibilities. However, setting the vision and assigning and coordinating these lines of defense is the responsibility of senior leaders. With a clear line of sight, they are able to see and correct redundancies in the company’s risk management structure and prioritize how the company addresses risks. “It is also up to leadership to establish a culture that values the importance of digital risk management,” says Mr. Denham. “Most important, they should ensure the lines of defense are working in tandem, continuously learning from one another.”

The business units, being closest to the customer, are almost always the first line of defense in digital risk situations. Working with IT, they should incorporate risk-informed decision-making into their day-to-day operations. They should also determine the level of risk they are willing to accept so they can mitigate risks as appropriate and escalate issues when a risk extends outside their zone of tolerance.

The second line of defense is the risk management function itself, which is responsible for creating governance and oversight procedures, setting risk baselines, and implementing risk management tools and processes.

The third line of defense is the audit function, which is responsible for verifying the effectiveness of the digital risk management process and providing management and the board of directors assurance that this process is working properly. “If audit is consistently the first to identify and flag digital risks,” notes Mr. Mantha, “that may signal that the first two lines of defense are not operating properly or that there are new risks that haven’t yet been addressed in the digital risk program.”

Developing an Ongoing “Sense and Respond” Process

An effective approach to digital risk management includes an ongoing “sense and respond” process that crosses silos and touches all stakeholders. The building blocks for this approach are not new, but together they add up to an end-to-end lifecycle process that can help organizations achieve maximum protection—with the greatest competitive benefits. Some key actions for retail executives include:

Frame and benchmark the current risk management strategy and inventory the supporting policies, processes, controls and metrics, especially as they apply to digital.

Create a digital governance structure and risk mitigation and response plans. Create policies and procedures that are relevant to the new digital age and put in place supporting risk management processes.

Roll out an integrated risk management program—including assurance programs, frameworks and activities—to business units and enabling areas, such as internal audit and IT.

“A comprehensive risk framework enables leadership to manage risk, be secure, vigilant and resilient,” Mr. Mantha notes. “It also allows leaderships to consider the level of risk it is willing to take on in the pursuit of innovation and potentially lucrative new ideas. When risk management coordination is effective,” he adds, “it frees up the organization to focus on the significant opportunities presented by the unfolding digital landscape.”

Endnotes1. A customer-centric experience that seamlessly connects a company’s digital and physical stores and allows buyers to sample and purchase merchandise via a variety of mediums, including in-store, online and mobile.2. Aftershock: Adjusting to the new world of risk management, Deloitte and Forbes Insights, 2012.3. Consumer and industrial products executives actually put social media in second place as a risk source, after the global economic environment.